libxfont: Changes to 'debian-unstable'
ChangeLog | 186 ++++++++++
README | 59 +++
configure.ac | 9
debian/changelog | 11
debian/control | 1
debian/patches/0001-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-Fo.patch | 47 ++
debian/patches/0002-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-le.patch | 50 ++
debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch | 73 +++
debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch | 159 ++++++++
debian/patches/0005-CVE-2014-XXXC-Integer-overflow-in-fs_get_reply-_fs_s.patch | 68 +++
debian/patches/0006-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_q.patch | 127 ++++++
debian/patches/0007-CVE-2014-XXXC-integer-overflow-in-fs_read_extent_inf.patch | 52 ++
debian/patches/0008-CVE-2014-XXXC-integer-overflow-in-fs_alloc_glyphs.patch | 39 ++
debian/patches/0009-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_e.patch | 42 ++
debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch | 76 ++++
debian/patches/0011-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch | 59 +++
debian/patches/0012-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch | 108 +++++
debian/patches/series | 12
include/X11/fonts/fntfil.h | 14
include/X11/fonts/fontmisc.h | 2
src/FreeType/ftfuncs.c | 4
src/FreeType/xttcap.c | 1
src/bitmap/bitscale.c | 4
src/builtins/builtin.h | 4
src/builtins/dir.c | 2
src/builtins/file.c | 2
src/builtins/fpe.c | 5
src/fc/fsconvert.c | 2
src/fc/fserve.c | 19 -
src/fc/fserve.h | 2
src/fontfile/bufio.c | 6
src/fontfile/catalogue.c | 35 -
src/fontfile/dirfile.c | 4
src/fontfile/fontfile.c | 16
src/util/patcache.c | 14
35 files changed, 1239 insertions(+), 75 deletions(-)
New commits:
commit a151b05836bf26116890ea8300cf38a1b9241b60
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 13 17:30:23 2014 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index a35e2b2..9103419 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-libxfont (1:1.4.7-2) UNRELEASED; urgency=high
+libxfont (1:1.4.7-2) unstable; urgency=high
* Pull from upstream git to fix FTBFS with new fontsproto (closes: #746052)
* CVE-2014-0209: integer overflow of allocations in font metadata
@@ -7,7 +7,7 @@ libxfont (1:1.4.7-2) UNRELEASED; urgency=high
* Add breaks on xfs because we broke it by disabling font protocol support
in 1.4.7.
- -- Julien Cristau <jcristau@debian.org> Thu, 08 May 2014 18:39:00 +0200
+ -- Julien Cristau <jcristau@debian.org> Tue, 13 May 2014 17:25:49 +0200
libxfont (1:1.4.7-1) unstable; urgency=high
commit 4c985dccf7b695862e30d81e3c4699af44641938
Author: Julien Cristau <jcristau@debian.org>
Date: Thu May 8 23:58:01 2014 +0200
Refresh patches
diff --git a/debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch b/debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch
index 90ce26b..1916e0c 100644
--- a/debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch
+++ b/debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch
@@ -21,11 +21,11 @@ Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
src/fc/fserve.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 3585951..aa9acdb 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -2784,7 +2784,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
+Index: libxfont/src/fc/fserve.c
+===================================================================
+--- libxfont.orig/src/fc/fserve.c
++++ libxfont/src/fc/fserve.c
+@@ -2786,7 +2786,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
int ret = FSIO_ERROR;
fsConnSetup *setup;
FSFpeAltPtr alts;
@@ -34,7 +34,7 @@ index 3585951..aa9acdb 100644
int setup_len;
char *alt_save, *alt_names;
-@@ -2811,8 +2811,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
+@@ -2813,8 +2813,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
}
if (setup->num_alternates)
{
@@ -45,7 +45,7 @@ index 3585951..aa9acdb 100644
if (alts)
{
alt_names = (char *) (setup + 1);
-@@ -2821,10 +2822,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
+@@ -2823,10 +2824,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
{
alts[i].subset = alt_names[0];
alt_len = alt_names[1];
@@ -71,6 +71,3 @@ index 3585951..aa9acdb 100644
alt_names += _fs_pad_length (alt_len + 2);
}
conn->numAlts = setup->num_alternates;
---
-1.7.9.2
-
diff --git a/debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch b/debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch
index a864d78..009bd0f 100644
--- a/debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch
+++ b/debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch
@@ -16,11 +16,11 @@ Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
src/fc/fserve.c | 44 ++++++++++++++++++++++++++++++++++++++------
1 file changed, 38 insertions(+), 6 deletions(-)
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index aa9acdb..f08028f 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -91,6 +91,12 @@ in this Software without prior written authorization from The Open Group.
+Index: libxfont/src/fc/fserve.c
+===================================================================
+--- libxfont.orig/src/fc/fserve.c
++++ libxfont/src/fc/fserve.c
+@@ -91,6 +91,12 @@ in this Software without prior written a
(pci)->descent || \
(pci)->characterWidth)
@@ -33,7 +33,7 @@ index aa9acdb..f08028f 100644
extern void ErrorF(const char *f, ...);
static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
-@@ -206,9 +212,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep)
+@@ -206,9 +212,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGeneri
rep->sequenceNumber,
conn->reqbuffer[i].opcode);
}
@@ -56,7 +56,7 @@ index aa9acdb..f08028f 100644
#endif
static Bool
-@@ -682,13 +701,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -682,13 +701,15 @@ fs_read_open_font(FontPathElementPtr fpe
int ret;
rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret);
@@ -73,7 +73,7 @@ index aa9acdb..f08028f 100644
return BadFontName;
}
-@@ -824,13 +845,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -824,13 +845,15 @@ fs_read_query_info(FontPathElementPtr fp
int ret;
rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret);
@@ -90,7 +90,7 @@ index aa9acdb..f08028f 100644
return BadFontName;
}
-@@ -951,13 +974,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -951,13 +974,15 @@ fs_read_extent_info(FontPathElementPtr f
FontInfoRec *fi = &bfont->pfont->info;
rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret);
@@ -107,7 +107,7 @@ index aa9acdb..f08028f 100644
return BadFontName;
}
-@@ -1823,13 +1848,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -1825,13 +1850,15 @@ fs_read_glyphs(FontPathElementPtr fpe, F
unsigned long minchar, maxchar;
rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret);
@@ -124,7 +124,7 @@ index aa9acdb..f08028f 100644
goto bail;
}
-@@ -2232,12 +2259,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -2234,12 +2261,14 @@ fs_read_list(FontPathElementPtr fpe, FSB
int err;
rep = (fsListFontsReply *) fs_get_reply (conn, &ret);
@@ -140,7 +140,7 @@ index aa9acdb..f08028f 100644
return AllocError;
}
data = (char *) rep + SIZEOF (fsListFontsReply);
-@@ -2356,12 +2385,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -2358,12 +2387,15 @@ fs_read_list_info(FontPathElementPtr fpe
_fs_free_props (&binfo->info);
rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
@@ -157,6 +157,3 @@ index aa9acdb..f08028f 100644
goto done;
}
/*
---
-1.7.9.2
-
diff --git a/debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch b/debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch
index 079fe84..6c79ff3 100644
--- a/debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch
+++ b/debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch
@@ -17,11 +17,11 @@ Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
src/fc/fserve.c | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 232e969..581bb1b 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -1907,6 +1907,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+Index: libxfont/src/fc/fserve.c
+===================================================================
+--- libxfont.orig/src/fc/fserve.c
++++ libxfont/src/fc/fserve.c
+@@ -1909,6 +1909,7 @@ fs_read_glyphs(FontPathElementPtr fpe, F
FontInfoPtr pfi = &pfont->info;
fsQueryXBitmaps16Reply *rep;
char *buf;
@@ -29,7 +29,7 @@ index 232e969..581bb1b 100644
fsOffset32 *ppbits;
fsOffset32 local_off;
char *off_adr;
-@@ -1938,9 +1939,33 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -1940,9 +1941,33 @@ fs_read_glyphs(FontPathElementPtr fpe, F
buf = (char *) rep;
buf += SIZEOF (fsQueryXBitmaps16Reply);
@@ -63,7 +63,7 @@ index 232e969..581bb1b 100644
pbitmaps = (pointer ) buf;
if (blockrec->type == FS_LOAD_GLYPHS)
-@@ -1998,7 +2023,9 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -2000,7 +2025,9 @@ fs_read_glyphs(FontPathElementPtr fpe, F
*/
if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics))
{
@@ -74,6 +74,3 @@ index 232e969..581bb1b 100644
{
bits = allbits;
allbits += local_off.length;
---
-1.7.9.2
-
diff --git a/debian/patches/0011-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch b/debian/patches/0011-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch
index dc8badb..566ef2c 100644
--- a/debian/patches/0011-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch
+++ b/debian/patches/0011-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch
@@ -14,11 +14,11 @@ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
src/fc/fserve.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 581bb1b..4dcdc04 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -2355,6 +2355,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+Index: libxfont/src/fc/fserve.c
+===================================================================
+--- libxfont.orig/src/fc/fserve.c
++++ libxfont/src/fc/fserve.c
+@@ -2357,6 +2357,7 @@ fs_read_list(FontPathElementPtr fpe, FSB
FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data;
fsListFontsReply *rep;
char *data;
@@ -26,7 +26,7 @@ index 581bb1b..4dcdc04 100644
int length,
i,
ret;
-@@ -2372,16 +2373,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -2374,16 +2375,30 @@ fs_read_list(FontPathElementPtr fpe, FSB
return AllocError;
}
data = (char *) rep + SIZEOF (fsListFontsReply);
@@ -57,6 +57,3 @@ index 581bb1b..4dcdc04 100644
}
_fs_done_read (conn, rep->length << 2);
return err;
---
-1.7.9.2
-
diff --git a/debian/patches/0012-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch b/debian/patches/0012-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch
index ed83b1a..4d77243 100644
--- a/debian/patches/0012-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch
+++ b/debian/patches/0012-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch
@@ -14,11 +14,11 @@ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
src/fc/fserve.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 54 insertions(+)
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 4dcdc04..c1cf9d6 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -2491,6 +2491,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+Index: libxfont/src/fc/fserve.c
+===================================================================
+--- libxfont.orig/src/fc/fserve.c
++++ libxfont/src/fc/fserve.c
+@@ -2493,6 +2493,7 @@ fs_read_list_info(FontPathElementPtr fpe
FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data;
fsListFontsWithXInfoReply *rep;
char *buf;
@@ -26,7 +26,7 @@ index 4dcdc04..c1cf9d6 100644
FSFpePtr conn = (FSFpePtr) fpe->private;
fsPropInfo *pi;
fsPropOffset *po;
-@@ -2527,6 +2528,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -2529,6 +2530,7 @@ fs_read_list_info(FontPathElementPtr fpe
}
buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply);
@@ -34,7 +34,7 @@ index 4dcdc04..c1cf9d6 100644
/*
* The original FS implementation didn't match
-@@ -2535,19 +2537,71 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+@@ -2537,19 +2539,71 @@ fs_read_list_info(FontPathElementPtr fpe
*/
if (conn->fsMajorVersion <= 1)
{
@@ -106,6 +106,3 @@ index 4dcdc04..c1cf9d6 100644
}
#ifdef DEBUG
---
-1.7.9.2
-
commit 2dea66e730144322c41b0e5623ebfcc2266059a2
Author: Julien Cristau <jcristau@debian.org>
Date: Thu May 8 18:44:05 2014 +0200
Add Breaks on xfs
We broke it by disabling font protocol support in 1.4.7.
diff --git a/debian/changelog b/debian/changelog
index 3f1e83f..a35e2b2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,8 @@ libxfont (1:1.4.7-2) UNRELEASED; urgency=high
* CVE-2014-0209: integer overflow of allocations in font metadata
* CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
* CVE-2014-0211: integer overflows calculating memory needs for xfs replies
+ * Add breaks on xfs because we broke it by disabling font protocol support
+ in 1.4.7.
-- Julien Cristau <jcristau@debian.org> Thu, 08 May 2014 18:39:00 +0200
diff --git a/debian/control b/debian/control
index 38af7f3..d27ab11 100644
--- a/debian/control
+++ b/debian/control
@@ -27,6 +27,7 @@ Section: libs
Architecture: any
Depends: ${shlibs:Depends}, ${misc:Depends}
Conflicts: xprint (<< 2:1.6.0-1)
+Breaks: xfs (<< 1:1.1.4)
Pre-Depends: ${misc:Pre-Depends}
Multi-Arch: same
Description: X11 font rasterisation library
commit 6d3f3c6fba7a98e7d2f968bae9f50b65d32d8f3b
Author: Julien Cristau <jcristau@debian.org>
Date: Thu May 8 18:40:59 2014 +0200
Security fixes
* CVE-2014-0209: integer overflow of allocations in font metadata
* CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
* CVE-2014-0211: integer overflows calculating memory needs for xfs replies
diff --git a/debian/changelog b/debian/changelog
index b9a3152..3f1e83f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,9 @@
-libxfont (1:1.4.7-2) UNRELEASED; urgency=medium
+libxfont (1:1.4.7-2) UNRELEASED; urgency=high
* Pull from upstream git to fix FTBFS with new fontsproto (closes: #746052)
+ * CVE-2014-0209: integer overflow of allocations in font metadata
+ * CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
+ * CVE-2014-0211: integer overflows calculating memory needs for xfs replies
-- Julien Cristau <jcristau@debian.org> Thu, 08 May 2014 18:39:00 +0200
diff --git a/debian/patches/0001-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-Fo.patch b/debian/patches/0001-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-Fo.patch
new file mode 100644
index 0000000..807ea9a
--- /dev/null
+++ b/debian/patches/0001-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-Fo.patch
@@ -0,0 +1,47 @@
+From b3c8e47704a0ee40fbbd401a55a2167630a91ae6 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 25 Apr 2014 23:01:11 -0700
+Subject: [PATCH:libXfont 01/12] CVE-2014-XXXA: integer overflow of realloc()
+ size in FontFileAddEntry()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+FontFileReadDirectory() opens a fonts.dir file, and reads over every
+line in an fscanf loop. For each successful entry read (font name,
+file name) a call is made to FontFileAddFontFile().
+
+FontFileAddFontFile() will add a font file entry (for the font name
+and file) each time it’s called, by calling FontFileAddEntry().
+FontFileAddEntry() will do the actual adding. If the table it has
+to add to is full, it will do a realloc, adding 100 more entries
+to the table size without checking to see if that will overflow the
+int used to store the size.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/fontfile/fontdir.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
+index ef7ffa5..7271603 100644
+--- a/src/fontfile/fontdir.c
++++ b/src/fontfile/fontdir.c
+@@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
+ if (table->sorted)
+ return (FontEntryPtr) 0; /* "cannot" happen */
+ if (table->used == table->size) {
++ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
++ /* If we've read so many entries we're going to ask for 2gb
++ or more of memory, something is so wrong with this font
++ directory that we should just give up before we overflow. */
++ return NULL;
+ newsize = table->size + 100;
+ entry = realloc(table->entries, newsize * sizeof(FontEntryRec));
+ if (!entry)
+--
+1.7.9.2
+
diff --git a/debian/patches/0002-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-le.patch b/debian/patches/0002-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-le.patch
new file mode 100644
index 0000000..dc13234
--- /dev/null
+++ b/debian/patches/0002-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-le.patch
@@ -0,0 +1,50 @@
+From 3319cc1c44e4f5cd1ddcef7ac075c2703df48006 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 25 Apr 2014 23:01:48 -0700
+Subject: [PATCH:libXfont 02/12] CVE-2014-XXXA: integer overflow of realloc()
+ size in lexAlias()
+
+lexAlias() reads from a file in a loop. It does this by starting with a
+64 byte buffer. If that size limit is hit, it does a realloc of the
+buffer size << 1, basically doubling the needed length every time the
+length limit is hit.
+
+Eventually, this will shift out to 0 (for a length of ~4gig), and that
+length will be passed on to realloc(). A length of 0 (with a valid
+pointer) causes realloc to free the buffer on most POSIX platforms,
+but the caller will still have a pointer to it, leading to use after
+free issues.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/fontfile/dirfile.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/fontfile/dirfile.c b/src/fontfile/dirfile.c
+index cb28333..38ced75 100644
+--- a/src/fontfile/dirfile.c
++++ b/src/fontfile/dirfile.c
+@@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group.
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <errno.h>
++#include <limits.h>
+
+ static Bool AddFileNameAliases ( FontDirectoryPtr dir );
+ static int ReadFontAlias ( char *directory, Bool isFile,
+@@ -376,6 +377,9 @@ lexAlias(FILE *file, char **lexToken)
+ int nsize;
+ char *nbuf;
+
++ if (tokenSize >= (INT_MAX >> 2))
++ /* Stop before we overflow */
++ return EALLOC;
+ nsize = tokenSize ? (tokenSize << 1) : 64;
+ nbuf = realloc(tokenBuf, nsize);
+ if (!nbuf)
+--
+1.7.9.2
+
diff --git a/debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch b/debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch
new file mode 100644
index 0000000..90ce26b
--- /dev/null
+++ b/debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch
@@ -0,0 +1,76 @@
+From ba280a2116cd57f5a9e01cd7b468fcbd96428a7d Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 25 Apr 2014 23:02:00 -0700
+Subject: [PATCH:libXfont 03/12] CVE-2014-XXXB: unvalidated length in
+ _fs_recv_conn_setup()
+
+The connection setup reply from the font server can include a list
+of alternate servers to contact if this font server stops working.
+
+The reply specifies a total size of all the font server names, and
+then provides a list of names. _fs_recv_conn_setup() allocated the
+specified total size for copying the names to, but didn't check to
+make sure it wasn't copying more data to that buffer than the size
+it had allocated.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/fc/fserve.c | 20 ++++++++++++++++++--
+ 1 file changed, 18 insertions(+), 2 deletions(-)
+
+diff --git a/src/fc/fserve.c b/src/fc/fserve.c
+index 3585951..aa9acdb 100644
+--- a/src/fc/fserve.c
++++ b/src/fc/fserve.c
+@@ -2784,7 +2784,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
+ int ret = FSIO_ERROR;
+ fsConnSetup *setup;
+ FSFpeAltPtr alts;
+- int i, alt_len;
++ unsigned int i, alt_len;
+ int setup_len;
+ char *alt_save, *alt_names;
+
+@@ -2811,8 +2811,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
+ }
+ if (setup->num_alternates)
+ {
++ size_t alt_name_len = setup->alternate_len << 2;
+ alts = malloc (setup->num_alternates * sizeof (FSFpeAltRec) +
+- (setup->alternate_len << 2));
++ alt_name_len);
+ if (alts)
+ {
+ alt_names = (char *) (setup + 1);
+@@ -2821,10 +2822,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
+ {
+ alts[i].subset = alt_names[0];
+ alt_len = alt_names[1];
++ if (alt_len >= alt_name_len) {
++ /*
++ * Length is longer than setup->alternate_len
++ * told us to allocate room for, assume entire
++ * alternate list is corrupted.
++ */
++#ifdef DEBUG
++ fprintf (stderr,
++ "invalid alt list (length %lx >= %lx)\n",
++ (long) alt_len, (long) alt_name_len);
++#endif
++ free(alts);
++ return FSIO_ERROR;
++ }
+ alts[i].name = alt_save;
+ memcpy (alt_save, alt_names + 2, alt_len);
+ alt_save[alt_len] = '\0';
+ alt_save += alt_len + 1;
++ alt_name_len -= alt_len + 1;
+ alt_names += _fs_pad_length (alt_len + 2);
+ }
+ conn->numAlts = setup->num_alternates;
+--
+1.7.9.2
+
diff --git a/debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch b/debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch
new file mode 100644
index 0000000..a864d78
--- /dev/null
+++ b/debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch
@@ -0,0 +1,162 @@
+From 93c37e1a39c8de9cc621dde2128a1d17e56ff4eb Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 25 Apr 2014 23:02:12 -0700
+Subject: [PATCH:libXfont 04/12] CVE-2014-XXXB: unvalidated lengths when
+ reading replies from font server
+
+Functions to handle replies to font server requests were casting replies
+from the generic form to reply specific structs without first checking
+that the reply was at least as long as the struct being cast to.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/fc/fserve.c | 44 ++++++++++++++++++++++++++++++++++++++------
+ 1 file changed, 38 insertions(+), 6 deletions(-)
+
+diff --git a/src/fc/fserve.c b/src/fc/fserve.c
+index aa9acdb..f08028f 100644
+--- a/src/fc/fserve.c
++++ b/src/fc/fserve.c
+@@ -91,6 +91,12 @@ in this Software without prior written authorization from The Open Group.
+ (pci)->descent || \
+ (pci)->characterWidth)
+
++/*
++ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words,
++ * so this converts for doing size comparisons.
++ */
++#define LENGTHOF(r) (SIZEOF(r) >> 2)
++
+ extern void ErrorF(const char *f, ...);
+
+ static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
+@@ -206,9 +212,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep)
+ rep->sequenceNumber,
+ conn->reqbuffer[i].opcode);
+ }
++
++#define _fs_reply_failed(rep, name, op) do { \
++ if (rep) { \
++ if (rep->type == FS_Error) \
++ fprintf (stderr, "Error: %d Request: %s\n", \
++ ((fsError *)rep)->request, #name); \
++ else \
++ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \
++ #name, rep->length, op, LENGTHOF(name)); \
++ } \
++} while (0)
++
+ #else
+ #define _fs_add_req_log(conn,op) ((conn)->current_seq++)
+ #define _fs_add_rep_log(conn,rep)
++#define _fs_reply_failed(rep,name,op)
+ #endif
+
+ static Bool
+@@ -682,13 +701,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ int ret;
+
+ rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ (rep->length != LENGTHOF(fsOpenBitmapFontReply)))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ if (rep)
+ _fs_done_read (conn, rep->length << 2);
+ fs_cleanup_bfont (bfont);
++ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!=");
+ return BadFontName;
+ }
+
+@@ -824,13 +845,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ int ret;
+
+ rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ (rep->length < LENGTHOF(fsQueryXInfoReply)))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ if (rep)
+ _fs_done_read (conn, rep->length << 2);
+ fs_cleanup_bfont (bfont);
++ _fs_reply_failed (rep, fsQueryXInfoReply, "<");
+ return BadFontName;
+ }
+
+@@ -951,13 +974,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ FontInfoRec *fi = &bfont->pfont->info;
+
+ rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ (rep->length < LENGTHOF(fsQueryXExtents16Reply)))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ if (rep)
+ _fs_done_read (conn, rep->length << 2);
+ fs_cleanup_bfont (bfont);
++ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<");
+ return BadFontName;
+ }
+
+@@ -1823,13 +1848,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ unsigned long minchar, maxchar;
+
+ rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply)))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ if (rep)
+ _fs_done_read (conn, rep->length << 2);
+ err = AllocError;
++ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<");
+ goto bail;
+ }
+
+@@ -2232,12 +2259,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ int err;
+
+ rep = (fsListFontsReply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ (rep->length < LENGTHOF(fsListFontsReply)))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ if (rep)
+ _fs_done_read (conn, rep->length << 2);
++ _fs_reply_failed (rep, fsListFontsReply, "<");
+ return AllocError;
+ }
+ data = (char *) rep + SIZEOF (fsListFontsReply);
+@@ -2356,12 +2385,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ _fs_free_props (&binfo->info);
+
+ rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
+- if (!rep || rep->type == FS_Error)
++ if (!rep || rep->type == FS_Error ||
++ ((rep->nameLength != 0) &&
++ (rep->length < LENGTHOF(fsListFontsWithXInfoReply))))
+ {
+ if (ret == FSIO_BLOCK)
+ return StillWorking;
+ binfo->status = FS_LFWI_FINISHED;
+ err = AllocError;
++ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<");
+ goto done;
+ }
+ /*
+--
+1.7.9.2
+
diff --git a/debian/patches/0005-CVE-2014-XXXC-Integer-overflow-in-fs_get_reply-_fs_s.patch b/debian/patches/0005-CVE-2014-XXXC-Integer-overflow-in-fs_get_reply-_fs_s.patch
new file mode 100644
index 0000000..8ff36d7
--- /dev/null
+++ b/debian/patches/0005-CVE-2014-XXXC-Integer-overflow-in-fs_get_reply-_fs_s.patch
@@ -0,0 +1,68 @@
+From 55e664ab0bafb35c67e5dfe5351209e792e7bafe Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 25 Apr 2014 23:02:25 -0700
+Subject: [PATCH:libXfont 05/12] CVE-2014-XXXC: Integer overflow in
+ fs_get_reply/_fs_start_read
+
+fs_get_reply() would take any reply size, multiply it by 4 and pass to
+_fs_start_read. If that size was bigger than the current reply buffer
+size, _fs_start_read would add it to the existing buffer size plus the
+buffer size increment constant and realloc the buffer to that result.
+
+This math could overflow, causing the code to allocate a smaller
+buffer than the amount it was about to read into that buffer from
+the network. It could also succeed, allowing the remote font server
+to cause massive allocations in the X server, possibly using up all
+the address space in a 32-bit X server, allowing the triggering of
+other bugs in code that fails to handle malloc failure properly.
+
+This patch protects against both problems, by disconnecting any
+font server trying to feed us more than (the somewhat arbitrary)
+64 mb in a single reply.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/fc/fserve.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/src/fc/fserve.c b/src/fc/fserve.c
+index f08028f..3abbacf 100644
+--- a/src/fc/fserve.c
++++ b/src/fc/fserve.c
+@@ -97,6 +97,9 @@ in this Software without prior written authorization from The Open Group.
+ */
+ #define LENGTHOF(r) (SIZEOF(r) >> 2)
+
++/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
++#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2)
++
+ extern void ErrorF(const char *f, ...);
+
+ static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
+@@ -619,6 +622,21 @@ fs_get_reply (FSFpePtr conn, int *error)
+
+ rep = (fsGenericReply *) buf;
+
++ /*
++ * Refuse to accept replies longer than a maximum reasonable length,
++ * before we pass to _fs_start_read, since it will try to resize the
++ * incoming connection buffer to this size. Also avoids integer overflow
++ * on 32-bit systems.
++ */
++ if (rep->length > MAX_REPLY_LENGTH)
++ {
++ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting"
++ " from font server\n", rep->length);
++ _fs_connection_died (conn);
++ *error = FSIO_ERROR;
++ return 0;
++ }
++
+ ret = _fs_start_read (conn, rep->length << 2, &buf);
+ if (ret != FSIO_READY)
+ {
+--
+1.7.9.2
+
diff --git a/debian/patches/0006-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_q.patch b/debian/patches/0006-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_q.patch
new file mode 100644
index 0000000..d3a7da6
--- /dev/null
+++ b/debian/patches/0006-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_q.patch
@@ -0,0 +1,127 @@
+From cabf7953b56ab11c2a42d81a372f5805bbf819ee Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 25 Apr 2014 23:02:34 -0700
+Subject: [PATCH:libXfont 06/12] CVE-2014-XXXB: unvalidated length fields in
+ fs_read_query_info()
+
+fs_read_query_info() parses a reply from the font server. The reply
+contains embedded length fields, none of which are validated. This
+can cause out of bound reads in either fs_read_query_info() or in
+_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/fc/fsconvert.c | 9 +++++++++
+ src/fc/fserve.c | 37 +++++++++++++++++++++++++++++++++++++
+ 2 files changed, 46 insertions(+)
+
+diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c
+index 75b5372..dfa1317 100644
+--- a/src/fc/fsconvert.c
++++ b/src/fc/fsconvert.c
+@@ -118,6 +118,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
+ for (i = 0; i < nprops; i++, dprop++, is_str++)
+ {
+ memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
++ if ((local_off.name.position >= pi->data_len) ||
++ (local_off.name.length >
++ (pi->data_len - local_off.name.position)))
++ goto bail;
+ dprop->name = MakeAtom(&pdc[local_off.name.position],
+ local_off.name.length, 1);
+ if (local_off.type != PropTypeString) {
+@@ -125,10 +129,15 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
+ dprop->value = local_off.value.position;
+ } else {
+ *is_str = TRUE;
++ if ((local_off.value.position >= pi->data_len) ||
++ (local_off.value.length >
++ (pi->data_len - local_off.value.position)))
++ goto bail;
+ dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
+ local_off.value.length, 1);
+ if (dprop->value == BAD_RESOURCE)
+ {
++ bail:
+ free (pfi->props);
+ pfi->nprops = 0;
+ pfi->props = 0;
+diff --git a/src/fc/fserve.c b/src/fc/fserve.c
+index 3abbacf..ec5336e 100644
+--- a/src/fc/fserve.c
++++ b/src/fc/fserve.c
+@@ -854,6 +854,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ FSFpePtr conn = (FSFpePtr) fpe->private;
+ fsQueryXInfoReply *rep;
+ char *buf;
++ long bufleft; /* length of reply left to use */
+ fsPropInfo *pi;
+ fsPropOffset *po;
+ pointer pd;
+@@ -885,6 +886,9 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ buf = (char *) rep;
+ buf += SIZEOF(fsQueryXInfoReply);
+
++ bufleft = rep->length << 2;
++ bufleft -= SIZEOF(fsQueryXInfoReply);
++
+ /* move the data over */
+ fsUnpack_XFontInfoHeader(rep, pInfo);
+
+@@ -892,17 +896,50 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ _fs_init_fontinfo(conn, pInfo);
+
+ /* Compute offsets into the reply */
++ if (bufleft < SIZEOF(fsPropInfo))
++ {
++ ret = -1;
++#ifdef DEBUG
++ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n",
++ bufleft);
++#endif
++ goto bail;
++ }
+ pi = (fsPropInfo *) buf;
+ buf += SIZEOF (fsPropInfo);
++ bufleft -= SIZEOF(fsPropInfo);
+
++ if ((bufleft / SIZEOF(fsPropOffset)) < pi->num_offsets)
++ {
++ ret = -1;
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsQueryXInfo: bufleft (%ld) / SIZEOF(fsPropOffset) < %d\n",
++ bufleft, pi->num_offsets);
++#endif
++ goto bail;
++ }
+ po = (fsPropOffset *) buf;
+ buf += pi->num_offsets * SIZEOF(fsPropOffset);
++ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
+
++ if (bufleft < pi->data_len)
++ {
++ ret = -1;
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
++ bufleft, pi->data_len);
++#endif
++ goto bail;
++ }
+ pd = (pointer) buf;
+ buf += pi->data_len;
++ bufleft -= pi->data_len;
+
+ /* convert the properties and step over the reply */
+ ret = _fs_convert_props(pi, po, pd, pInfo);
++ bail:
+ _fs_done_read (conn, rep->length << 2);
+
+ if (ret == -1)
+--
+1.7.9.2
+
diff --git a/debian/patches/0007-CVE-2014-XXXC-integer-overflow-in-fs_read_extent_inf.patch b/debian/patches/0007-CVE-2014-XXXC-integer-overflow-in-fs_read_extent_inf.patch
new file mode 100644
index 0000000..488079f
--- /dev/null
+++ b/debian/patches/0007-CVE-2014-XXXC-integer-overflow-in-fs_read_extent_inf.patch
@@ -0,0 +1,52 @@
+From 4f20a0e202605566d884ed08a752edf99fa828d6 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 25 Apr 2014 23:02:42 -0700
+Subject: [PATCH:libXfont 07/12] CVE-2014-XXXC: integer overflow in
+ fs_read_extent_info()
+
+fs_read_extent_info() parses a reply from the font server.
+The reply contains a 32bit number of elements field which is used
+to calculate a buffer length. There is an integer overflow in this
+calculation which can lead to memory corruption.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/fc/fserve.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/fc/fserve.c b/src/fc/fserve.c
+index ec5336e..96abd0e 100644
+--- a/src/fc/fserve.c
++++ b/src/fc/fserve.c
+@@ -70,6 +70,7 @@ in this Software without prior written authorization from The Open Group.
+ #include "fservestr.h"
+ #include <X11/fonts/fontutil.h>
+ #include <errno.h>
++#include <limits.h>
+
+ #include <time.h>
+ #define Time_t time_t
+@@ -1050,7 +1051,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
Reply to: